Tomáš "Timmy" Duda (@tomasduda), one of the developers of Euro Truck Simulator 2, was banned by Valve from the Steam Community and Steamworks for a year, for pointing out that Steam announcements were vulnerable to XSS script injection. After failing to get any response from Valve for a long time, he finally decided to showcase the vulnerability by adding a harlem shake script to an announcement.

Valve's response? They fixed the bug, and banned him for a year. This means he is now unable to patch his games. (Edit: okay, not quite that drastic, as SCS has more employees. Timmy is locked out though, and he was the SCS Steam community manager.)

Well that means he hacked their system so to speak... there are some clear rules on that subject.I'll agree that Valve need to listen up and sort their stuff when a problem arises, but that still doesn't permit one to break other peoples shit to make a point.

Man, that sucks. A vulnerability is bad news and should be fixed immediately, and all he was trying to do was get Valve to listen.

But at the same time, maybe he shouldn't have taken it upon himself to showcase the vulnerability. He's a developer after all, with a game up on Steam, I don't think it's a good idea to risk your professional relationship with Steam, and your position to support your game, for the sake of getting a point across. Surely there must have been a better way to communicate this problem to Valve, even after trying and them not listening. When it comes down to it, the guy broke the rules, and procedures need to be followed.

That being said, Valve should review this case. If what the guy is saying is true and he tried to tell them about the problem for awhile. Then there was a failure of communication on Valve's behalf. It's not right for them to ignore the problem for such a long time, and punish him for what can ultimately be blamed on their own inaction. If they listened to him in the first place, this would've never happened. I have no idea how much this guy tried to communicate the problem to valve, but I still think there could have been a better way for the guy to prove his point than to exploit the vulnerability himself with a goddamned harlem shake. That's not the sort of behavior I'd expect from a professional videogame developer.

And ignoring a website vulnerability is not the behavior I'd expect from a major company like Valve.

All in all, there's faults to both sides here. But the original, and greatest fault falls on Valve. The guy broke the rules and was given a punishment as per procedure. But I think Valve should review the case and lift the suspension from him. After all, he was trying to help, and they didn't listen. And he should stop fucking around with Valve's websites and find a better way to communicate problems.

erbkaiser:Oh agreed, it is a foolish way to show the problem, but apparently Valve's response was sticking its head in the sand:

"We allow devs to use all html (unfiltered), because we trust them."

When you're faced with such dangerous ignorance, sometimes a harmless demonstration of the potential for malicious intent is the only option left.

Maybe... I'm trying to picture myself in the guy's position, and I'm sure the frustration of not being listened to must have been great. But I'm not sure how I'd leverage my professional relationship with Steam vs the need to prove a point.

In the professional world when problems like this arise, every angle needs to be examined. Because that means there is a problem in the system. It's not entirely unreasonable to hand him a punishment off the bat for breaking rules, but an investigation should be conducted as well. They need to find out how the vulnerability came to be in the first place, and why his pleas to fix the problem went unheard.

It seems like his stunt, while annoying and embarrassing, had a positive effect of Valve finally fixing the problem. So, I think it's reasonable and fair to lift the suspension. They need to learn from this and improve their communications next time and make sure problems get fixed. I honestly hope the guy doesn't have to serve his suspension.

Would it have been better if he had done nothing, and we'd have to wait for some scumbag dev (like the ones behind some of those crappy games Jim Sterling plays) to inject a script vulnerability to install trojans on people's machines instead?

Or imagine if a Bohemia Interactive dev got hacked, and they got access to his Steam Dev data. They could've posted an announcement to, say, the Steam page for DayZ, and infected millions of PCs.

The system was wide open. Still is apparently, Valve only partially fixed it. They only blocked [script] tags, Javascript injected in attributes still works.

I agree it's not the smartest thing to do, but to ban a whistleblower for a year is excessive IMO.

I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

Geo Da Sponge:I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, hell even if they didnt theyd still be violating private property wouldnt they?

Geo Da Sponge:I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

is like robbing a bank and saying "see? you need to hire more security guards!"

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

anyways, the problem with your entire argment is that you think this was THE ONLY WAY to get Valve attention, when im willing to bet, there are many others that wouldnt be agasint the subscriber agreement, im not agaisnt the dev message, im agaisnt the way he decided to deliver it

Geo Da Sponge:I can hardly blame him for really wanting to demonstrate this vulnerability, given the fact that a sizable amount of his income probably comes through Steam. If this problem had gone ignored and unfixed for longer, the results could have indirectly harmed him by damaging Steam's reputation, or potentially harm him in a far more direct way. Who knows?

Valve just seems more and more determined to bury their head in the sand and make communication impossible over everything. It was kind of cute when they were just being coy about game development, but acting that way about everything doesn't help at all.

Not really. It's more like breaking into a bank vault, not harming or alerting anyone in the process, and then leaving a detailed note explaining how they did it and how they could fix it inside the vault.

but still stealing money, he still took advantage of the exploit

But he didn't take anything... Nothing he did used the exploit against anyone, apart from using it to demonstrate that he could.

Listen, I don't like basing entire arguments off of metaphors, but in this case:

Bypassing bank security = Using the exploit

Leaving a note in the vault = Leaving a silly video to prove he'd done it

Stealing money = Using the exploit to give himself some advantage on Steam, or in anyway damaging Steam

Since he didn't actually do anything that damaged Steam beyond posting a silly little video (and you seem to be arguing that he didn't even have to do that for it to equate to stealing; just using the exploit was enough), that can't really be equated to stealing money, can it?

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

Or, to torturously stretch the bank metaphor even further, which is like breaking into the bank which you use, in order to specifically reach the deposit box which you own, in order to prove that it's not secure and therefore your stuff is at risk. But the bank bans you for a year for showing the gaping hole in their security, even after you pointed it out through the proper channels first.

but then wouldnt you be violating private property if you broke into a bank to leave the note? even if you didnt take anything, see the problem is that the act itself is a crime, and sure enough what this guy did is agaisnt the steam subscriber agreement

the problem is that this dev took a drastic action, i bet there were other ways to get the message accross

but right now, he screwed himself and he screwed his customers and nobody is happy

But to bring it back to the main point, this guy relies on Steam. It's used to sell the product he worked on, EuroTruck Simulator 2. He has security concerns with the system, and since he was being ignored previously, this seemed to be the only way he could get it acknowledged. If the people who use your system and bring in the money for it have concerns over its security, the last thing you should be doing is punishing them for demonstrating the problem. It's like Valve has so much momentum with Steam they really don't care if the developers using it hate it, because they know that there's nowhere else to go.

And in case my point above was ignored, given how GeoHotz was turned into a sort of folk hero in the wake of the PS3 Jailbreak, it's jaw-dropping to see someone who did far less being blamed for trying to procect his livelyhood. Worse, he went through the official channels and was promptly ignored and yet the the usual excuses are being brought out to defend Valve/Steam.

SO! He warned them ahead of time, tried to get their attention to fix the problem and then when they ignored his pleas he showed them the error with a harmless but effective demonstration. And instead of thanking him for pointing it out and making sure it was fixed before something serious happened with it, they banned him for a year. They need to reverse this, it's bullshit. Not only that, what about all the poor sods that got ETS2? I don't like the game but dammit it's not fair to them either.

Just in case anyone fails to grasp the potential security risk of this -- on Windows, the main platform Steam is used on, STEAM BYPASSES UAC BY DESIGN (using the Steam Client Service).Let that sink in for a second.

This exploit allowed anyone with Steam developer access to place ANY Javascript on a Steam announcement, which means it will automatically be on Steam's front page in the 'Recently Updated' section, and any script contained on that page will be executed by the built-in Steam browser with elevated user access.

Could the bug have been directly used to damage him? If not, then why did he care? Preventative measures are never taken by companies as big as Valve. Better let them burn at their own volition than try to save them from their own shortsightedness.

Good intentions don't get you far when directed at people like them. I hope he gets unbanned though.

Title's kinda misleading, dude. You make it sound like Valve banned him because they didn't want to hear what he was trying to tell them. He got banned for hacking their system. In fact, I'm more than willing to bet he was expecting to be banned after they fixed the vulnerability. Maybe he can make an appeal later, but for the moment, he'll just have to live with his decision.

Valve's community management isn't a judicial system. They're going to ban whoever breaks the rules, period. They aren't meant to make judgments on whether or not you broke the rules for the right reasons.

EDIT: Just so we're clear, I'm not condemning the guy for what he did. So long as he's willing to live with the consequences, I'd say job well done. If, however, he's going around crying about it on the internet, that's where I have no sympathy. He doesn't need defending, and Valve doesn't need condemnation.

erbkaiser:And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?By all accounts, Valve was informed months ago, and decided to ignore it.

Yes. He is a game developer with a business relationship with Valve. He is not a security expert under the employ of Valve. He did well in reporting the vulnerability to Valve, but that is where both his responsibility and rights end on that subject. By going a step further and exploiting the vulnerability, he left himself open to potential consequences for his actions.

It's fine to take a moral stand that conflicts with ethics and legality, but you have to be willing to accept that your actions may have a negative personal outcome. Anything less is childish.

erbkaiser:And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.

Valve/Steam ignoring perfectly reasonable requests and demands? I'm nowhere near surprised, is this a good time to mention how Steam's customer service is so poor it's technically illegal in the UK?

Remember when Steam was heralded as the "saviour of PC gaming?" Yeah me neither. Valve has used up all of their goodwill over the last two year as far as i'm concerned.

Also that Harlem Shake example sounds hilarious, +1 interwebz to that guy. Not like Steam will reverse the ban though, that would be far too reasonable of them, listening to their community even. Dangerous thinking.

erbkaiser:And again, what was his alternative? Wait until the inevitable malicious exploit gets on Steam?By all accounts, Valve was informed months ago, and decided to ignore it.

couldnt he contact more devs to try to make his voice be heard? couldnt he start a campaign to let people know theres a potential exploit, he could even put an ingame message in his game or something

there ARE ways

Contacting devs? That is how he got banned in the first place. He was in the Steam dev IRC and they were talking about the exploit. To prove what he said existed, he altered the update to show the Harlem Shake -- Valve finally noticed, and banned him.